Media Discovers Spyware

Discussion in 'other anti-trojan software' started by Nancy_McAleavey, May 14, 2005.

Thread Status:
Not open for further replies.
  1. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    1. GENERAL COMMENTS

    In principle, I do not want to comment on this article because Wayne already made a funny statement: "I hope this is a one-off brain explosion" ;-)

    I would like to mention though that other software developers also publish biased tests:

    Emsisoft:

    http://www.anti-trojan-software.net/

    Agnitum:

    http://www.agnitum.com/products/tauscan/compare.html

    ___

    2. KEVIN'S STATEMENTS RE THE SCHEINSICHERHEIT PROJECT

    @Kevin

    This relates to your below-quoted comments:

    a) Comments Relating To Our Incompetence / Testing Methodology

    "There hasn't YET been ONE review in all these years that have been done by anybody who even REMOTELY understands the innards of these things."

    "I *must* agree with you ... of ALL the "reviewers," Nautilus came the closest of ALL to "getting it." But as he'll tell you himself, his own expectations of what would happen along with his test protocol MODIFIED the outcome because he was trying to get through his testing rather than letting things work in a more "real world" sense."

    "But his methodologies made us ALL crazy because BOClean wasn't designed to be tested in the manner in which he tested, and thus he got some INTERESTING results from it."

    "I still stand by my words though - the only one who can TRULY test anti-malware is someone who DID it for a living, KNOWS what is supposed to happen and what is NOT supposed to happen."

    In principle, this issue has been discussed before ( http://illusivesecurity.il.funpic.de/viewtopic.php?t=51&sid=7fd1edb4749804f0a16e6c9cfa014b9a ). As regards our "flawed" testing methodology: It is STILL possible to change the test if it is flawed. You can STILL prove that we are wrong and you are right. However, this will NOT work unless you substantiate your comments. From my perspective, we DID take into account the particularities of BOClean and used a proper method for our tests. I believe that you still do not (want to) understand how the testing methodology was changed during the test in order to take into account the particularities of BOClean. We contacted you during the testing procedure BECAUSE we were unhappy with the initial test results/testing method. If you believe that the testing method is still wrong you need to explain it.

    I partially agree with the AV/AT developers who say that, in principle, testers are less skilled than AV/AT developers and, therefore, AV/AT developers would be the better testers (if they were not biased). I would like to mention, however, that also AV/AT developers are not god-like creatures who know each and everything. For example, an unnamed AV/AT developer learned from us something about the (non-)existance of a behaviour called "mandatory handshake" ;-) I could provide for MANY more examples but I do not want to embarrass anyone.

    b) Comments Relating To Our Felonies

    "And I'm personally STILL angry a bit with him for publishing our databases for "ne'er-do-wells" to abuse - had he done that in the US, it could have been jail time. What was done was highly illegal. I'll let others debate the moral questions."

    This one is new. So far, you never said that we acted in an illegal manner. Let's get things straight: You did not encrypt your database (in memory). We did not decrypt it. We simply said that it's not encrypted in memory. We also disclosed one or two signatures as an example (but not the entire signature database). We also disclosed a few signatures from other scanners' databases.

    I you believe that this is "highly illegal" you should cite the respective provisions (e.g., a provision from the Digital Millenium Act) violated by us. If you had timely informed us about the violated provision (assuming that there is one) we had not published the respective part of the report.

    I think you should definitely explain your comment in more detail because it may also be illegal to call someone's practice "highly illegal" if it is not illegal at all ...

    ___

    3. BOClean -- File Scanner or Memory Scanner?

    There seems to be some confusion whether BOClean has a file scanner or not. We came to the conclusion that BOClean needs a file scanner in order to detect injected trojan DLLs because it does not have/does not use a module memory scanner in order to detect such trojan DLLs. The process mem scanner of BOClean can only detect the loader.exe (if any). Perhaps this is the right opportunity for Kevin to explain the exact purpose of BOClean's file scanner.

    ___

    4. BOClean 4.12 -- Any new features?

    Some of the comments which apply to signature-based file scanning (e.g., signature-based scanners can be easily bypassed with the help of patched/modified malware) also apply to signature-based memory scanning.

    Does BOClean 4.12 (or will BOClean 5) employ any scanning techniques which are not signature based?

    EDITED:

    5. Malware Sharing

    @ Kevin

    "Once upon a time, all of us COOPERATED and SHARED with one another."

    I believe that VX (malware exchange is fine). A 1:1 ratio should apply.

    Moreover, it seems to me that there IS some malware sharing. See https://www.wilderssecurity.com/showthread.php?t=78842

    Gavin does not want to talk about the existance of malware pools. Perhaps you do not consider this a secret?

    6. Strange Comments

    I do not think that it makes sense to publicly post non-explained "insider stuff" in this topic. Most people may not understand that Magnus Mischel (the developer of Trojan Hunter) was insulted in this threat. I do not understand the comments relating to the "Rokop guys". Can anyone explain this to me? Thanks.
     
    Last edited: May 21, 2005
  2. controler

    controler Guest

    I am guessing the mention of rokop was only to the forums.
    Here & there.
    Did you get some other hidden meaning out of it?

    Do you think encrypting the mem sigs is important?
    I thought I saw a message stating they are now encrypted.

    I agree, questioning software makers logic is sometimes usefull.
    I dought they would go into their "secrets" as it would give the bad guys an edge, don't you agree?
    I also remember a thread mentioning the different AT makers do share sigs.
    I do think they should detect "riskware"


    Bruce
     
  3. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
  4. -.-.-.-.-

    -.-.-.-.- Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.